Description:
A vulnerability was reported in Microsoft Windows Plug and Play. A remote user can execute arbitrary code on the target system.

A stack-based buffer overflow vulnerability exists in Plug and Play that allows a remote user to take complete control of the target system.

On Windows 2000, a remote user can send a specially crafted packet to exploit this vulnerability.

On Windows XP Service Pack 1, only a remote authenticated user can exploit this vulnerability in default configurations. On August 23, 2005, Microsoft issued a separate advisory (http://www.microsoft.com/technet/security/advisory/906574.mspx) clarifying that some non-default configurations of Windows XP SP1 are vulnerable to non-authenticated attacks. If Simple File Sharing is enabled, then the Guest account is also enabled and is permitted to access the system via the network. As a result, a remote user can use the Guest account to attempt to exploit the vulnerability against Windows XP SP1-based systems.

On Window XP Service Pack 2 and Windows Server 2003, only a remote authenticated administrator can access the affected component to trigger the vulnerability.

Exploit code is available for this vulnerability. The vendor indicates that the exploit code primarily affects Windows 2000 users.

A worm (Zotob.A and variants) that exploits this vulnerability is circulating. Microsoft has issued guidance, available at:

http://www.microsoft.com/security/incident/zotob.mspx

On August 16, 2005, several anti-virus vendors issued 'Medium' risk rating warnings for variants of the Zotob worm and for the W32.Esbot.A worm (also known as Backdoor.Win32.IRCBot.es, W32/IRCbot.gen, W32/Sdbot-ACG, and BKDR_RBOT.BD). These worms may attempt to open backdoor ports on the infected system or join an IRC channel. The worms attempt to exploit other unpatched systems on port 445.

Microsoft credits Neel Mehta of ISS X-Force with reporting this vulnerability and Jean-Baptiste Marchand of Herve Schauer Consultants for reporting a related issue.

Impact:
A remote user can execute arbitrary code on the target system with System level privileges.

On August 12, 2005, Microsoft indicated that exploit code is available but that customers that have applied the above listed fix are not affected by the recently released exploit code. Their advisory regarding the exploit code is available at: